FINTEAM: Trojanized TeamViewer Against Government Targets (Apr 22, 2019)
Researchers from Check Point discovered a spear phishing campaign targeting government officials at embassies around the world to install the Remote Administration Tool (RAT) "TeamViewer." The malicious attachment pretends to be a top secret US document related to "Military Financing Program" and requests macros to be enabled to view the full content. If macros are enabled, AutoHotKey scripts are run that ultimately load the TeamViewer RAT after connecting to the threat actor's Command and Control (C2) server. The RAT is capable of credentials harvesting, taking screenshots of the user's computer, sending device information to the C2, and transferring and executing additional EXE or DLL files. Some of the affected countries include Bermuda, Guyana, Italy, Kenya, Liberia, Lebanon, and Nepal.
Recommendation: Impersonation of government entities is a commonly used tactic by threat actors in malspam and phishing campaigns. It is important to educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.